b'MANAGEMENT OF INFORMATION TECHNOLOGY EQUIPMENT,\n       OFFICE OF THE SECRETARY OF DEFENSE\n\n\nReport No. D-2001-096                   April 9, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAIRM                  Automated Information Resource Management\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                         Communications, and Intelligence)\nCIO                   Chief Information Officer\nITE                   Information Technology Equipment\nOSD                   Office of the Secretary of Defense\nWHS                   Washington Headquarters Services\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2001-096                                                      April 9, 2001\n  (Project No. D2001FA-0040)\n\n           Management of Information Technology Equipment,\n                  Office of the Secretary of Defense\n\n                                Executive Summary\n\nIntroduction. An Inspector General, DoD, Report of Investigation issued on\nAugust 28, 2000, indicated that the investigation was complicated by incomplete Office\nof the Secretary of Defense (OSD) inventory records for information technology\nequipment, such as personal computers. In addition, the investigation identified\nsecurity issues concerning the disposal of personal computer hard drives. As a result,\nwe initiated an audit of information technology equipment management at the OSD.\n\nThe Director, Washington Headquarters Services (WHS) is responsible for managing\nthe information technology equipment program for the OSD, the WHS, and other\nassigned DoD activities. The Director, Information Operations and Reports, WHS, is\nresponsible for reviewing automated information systems requirements for those\norganizations and ensuring that DoD standardization, interoperability, security, and\ninformation-sharing requirements are met. Also, the Director, Information Operations\nand Reports, has the responsibility to maintain and operate an automated centralized\ninventory control system that is compatible with other DoD-wide inventory systems.\nThe WHS system included records for about 34,000 items of information technology\nequipment with a total value of $99.8 million. The inventory of information technology\nequipment included central processing units, hard drives, personal computers, and\ncomputer monitors.\n\nObjectives. Our objective was to evaluate the management of information technology\nequipment in the possession of the OSD. Specifically, we tested the existence and\ncompleteness of information technology equipment databases and other records used to\ncontrol equipment within the OSD. Existence tests measure the ability to physically\nlocate the equipment recorded on the information technology inventory databases.\nCompleteness tests ascertained whether equipment located in OSD work spaces was\nrecorded on the information technology inventory databases. We also assessed the\nmanagement control program as it relates to the overall objective.\n\nResults. The Office of the Secretary of Defense information technology equipment\nmanagement practices and controls needed improvement. Although WHS has reported\nprogress over the last several years in improving inventory records, more needs to be\ndone. Based on a physical inventory test of sample items, we statistically estimated that\nof about 34,000 items of information technology equipment, 2,790, or 8 percent, of the\nitems would not be found after a reasonable search was performed, and that an\n\x0cestimated 7,859, or 23 percent, of the inventory records would contain inaccurate\ninformation. Also, to test the completeness of the inventory records, we selected 635\npieces of equipment from the OSD work spaces and determined that 51 items were not\nincluded on any inventory record. We also identified security vulnerabilities related to\nthe disposal of OSD computers containing sensitive information and the inappropriate\nuse of personal digital devices in secure classified areas. As a result, the OSD risked\nthe loss of computer equipment and the disclosure of sensitive and classified\ninformation. See Appendix A for details on the review of the management control\nprogram.\n\nManagement Actions. During the audit, we provided two memorandums to the\nDeputy Secretary of Defense to advise of weaknesses in computer disposal operations\nand problems with the inventory management of information technology equipment.\nWe also made six recommendations to improve inventory management. The Deputy\nSecretary of Defense responded to each memorandum and directed the Assistant\nSecretary of Defense (Command, Control, Communications, and Intelligence) to\nimplement the audit recommendations and to take immediate action to correct the\nproblems. Subsequently, the DoD Chief Information Officer Executive Board\nestablished a working group to review issues and refine the policy related to the Deputy\nSecretary of Defense direction to destroy DoD computers hard drives prior to disposal.\nSee Appendix B for copies of the Deputy Secretary of Defense guidance.\n\nSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) establish a time-\nphased plan to implement the corrective actions directed by the Deputy Secretary of\nDefense during the audit, and to develop policy regarding the proper use of current\ntechnology items, such as personal digital devices, with secured classified computers.\n\nManagement Comments. The Deputy Assistant Secretary of Defense, Command,\nControl, Communications, and Intelligence acknowledged the concurrence of the\nDeputy Secretary of Defense to the audit report findings and recommendations. The\nDeputy Assistant Secretary stated that actions were underway to develop a time-phased\nimplementation plan for the recommendations and to provide for the DoD Chief\nInformation Officer to serve as the OSD Chief Information Officer. The Deputy\nAssistant Secretary stated that further analysis might lead to alternative actions, as did\nthe Director, Washington Headquarters Services. The Director, Policy Automation,\nOffice of the Deputy Under Secretary of Defense Policy Support, expressed concerns\nwith the accuracy of the data in the report. See the Finding section for a discussion of\nthe management comments and the Management Comments section for the complete\ntext of the comments.\n\nAudit Response. Management comments were generally responsive. We agree that\nthere could be cost effective alternatives to some recommendations. However, the\nDeputy Secretary of Defense clearly committed DoD to seeking further inventory\nmanagement improvement and reducing security risks associated with the loss of\ncomputers and hard drives containing sensitive data. We met with a representative of\nthe Director, Policy Automation, and demonstrated that there was no basis for concern\nregarding the accuracy of the data in the report. We request that the Assistant\n                                           ii\n\x0cSecretary of Defense (Command, Control, Communications, and Intelligence) inform\nus by June 8, 2001, on when the implementation plan will be complete and what\nalternative actions, if any, have been approved.\n\n\n\n\n                                        iii\n\x0cTable of Contents\n\nExecutive Summary                                                            i\n\nIntroduction\n     Background                                                              1\n     Objectives                                                              1\n\nFinding\n     Management of Information Technology Equipment                          2\n\nAppendixes\n     A. Audit Process\n         Scope                                                              10\n         Methodology                                                        10\n         Statistical Sampling Methodology                                   11\n         Management Control Program Review                                  12\n         Prior Coverage                                                     12\n     B. Deputy Secretary of Defense Responses to the Inspector General,\n         DoD, Preliminary Findings and Recommendations                      13\n     C. Component Organizations of the Office of the Secretary of Defense\n         Visited During the Audit                                           16\n     D. Report Distribution                                                 18\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,\n       and Intelligence)                                                    21\n     Washington Headquarters Services                                       22\n     Under Secretary of Defense for Policy                                  24\n\x0cBackground\n     Office of the Secretary of Defense (OSD). The OSD is the principal staff\n     element of the Secretary of Defense in the exercise of policy development,\n     planning, resource management, and fiscal and program evaluation\n     responsibilities. The OSD includes four Under Secretaries of Defense, five\n     Assistant Secretaries of Defense, and other organizations. (See Appendix C for\n     a list of OSD components visited during the audit.) As of November 30, 2000,\n     OSD included 1,815 civilian personnel, 755 military personnel, and\n     1,638 contractor manyears. Overall administrative support is provided by the\n     Washington Headquarters Service (WHS) under the Director for Administration\n     and Management. WHS provides broad support for OSD organizations to\n     include maintaining centralized information technology equipment (ITE)\n     inventory records. WHS issues administrative instructions providing guidance\n     to other organizations for ITE functions. The individual OSD organizations\n     periodically update the WHS ITE inventory database while also maintaining\n     their own inventory records.\n     Administrative Instruction No. 56. Administrative Instruction No. 56,\n     \xe2\x80\x9cAutomated Information Resource Management (AIRM) in the Office of the\n     Secretary of Defense and Washington Headquarters Services,\xe2\x80\x9d August 20,\n     1991, provides guidance for AIRM support to OSD and the WHS. The\n     instruction generally covers the AIRM program. The instruction assigns WHS\n     responsibility for maintaining and operating an automated centralized inventory\n     control system that is compatible with the DoD-wide inventory system and\n     meets the needs of Defense Information Systems Agency in accomplishing its\n     ITE mission.\n     Automated Data Processing Resources Management. DoD Directive 7950.1,\n     \xe2\x80\x9cAutomated Data Processing Resources Management,\xe2\x80\x9d September 29, 1980,\n     provides policy guidance on the management and reporting of automatic data\n     processing resources within the OSD and DoD Components. That directive was\n     implemented by DoD 7950.1-M, \xe2\x80\x9cDefense Automation Resources Management\n     Manual,\xe2\x80\x9d September 1988, which provides consistent procedures, standards,\n     policies, definitions, and requirements governing the redistribution, sharing, and\n     inventorying of automation assets. The manual applies to all DoD Components.\n\nObjectives\n     Our objective was to determine whether information technology equipment in\n     the possession of the OSD was adequately managed. Work on this project\n     included verifying existence and completeness of information technology\n     equipment databases and other records used to control equipment within the\n     OSD. We also assessed the management control program as it relates to the\n     overall objective. See Appendix A for a discussion of the audit scope and\n     methodology, our review of the management control program, and prior audit\n     coverage, related to the audit objectives.\n\n\n                                         1\n\x0c            Management of Information Technology\n            Equipment\n            The OSD practices and controls for managing ITE needed improvement.\n            Based on a statistical test for existence and a nonstatistical test for\n            completeness, ITE inventory records were incomplete and inaccurate.\n            The existence test consisted of a physical inventory of statistically\n            selected ITE items from a universe of about 34,000 items. The results of\n            the existence test projected that an estimated 2,790 (8 percent) ITE items\n            would not be located if a full inventory were conducted. The\n            completeness test showed that of 635 ITE items judgmentally selected\n            from OSD work spaces, 51 (8 percent) ITE items were not included on\n            any OSD inventory records. In addition, we estimated that the records\n            for 7,859 (23 percent) ITE items contained critical inventory data errors.\n            In addition, security problems were identified when computers\n            containing sensitive information were marked for reutilization outside of\n            the DoD, and personal digital devices were used inappropriately in\n            secure classified areas. The problems occurred because there was no\n            single authority, such as a Chief Information Officer (CIO), managing\n            the information technology equipment within the OSD. A CIO would\n            have had the responsibility for ensuring that the OSD developed and\n            implemented management controls related to an integrated, consistent\n            process for receiving, recording, and disposing of information\n            technology equipment. As a result, the OSD was at risk for the loss of\n            computer equipment and the loss of sensitive and classified information.\n\n\n\nInventory Tests\n     The WHS maintains a centralized database of ITE owned by OSD. The\n     database included about 34,000 ITE items such as central processing units, hard\n     drives, personal computers, and computer monitors and was updated every 6\n     months by OSD component organizations. Our audit included two tests to\n     measure the existence and completeness of overall inventory database accuracy.\n     Existence tests measured the ability to physically locate the equipment recorded\n     on the information technology inventory databases. Completeness tests\n     ascertained whether equipment located in OSD work spaces was recorded on the\n     information technology inventory databases.\n\n            Existence Test Results. We statistically sampled items from the\n     34,000 pieces of information technology equipment listed in the WHS active\n     property database as of October 2, 2000. We conducted a physical inventory to\n     determine whether OSD components could locate 635 selected items. The\n     projected results of the existence test are provided in Table 1.\n\n\n\n\n                                        2\n\x0c                   Table 1. Projected Existence Test Results\n\n\n\n      ITE Database           Estimated Number of          Estimated Number of\n        Universe               Items Not Found         Significant ITE Data Errors\n\n         33,889                      2,790                        7,859\n\n\n\nBased on the results of our statistical sampling, we estimated that about 2,790\n(8 percent) ITE items would not be located if a complete wall-to-wall inventory\nwas taken. Among the specific items in our sample not located were personal\ncomputers, laptops, and hard drives. For those items that were located, we\nverified that database information such as the location, serial number, bar code,\nand other identifying information of ITE were reported correctly in the WHS\ndatabases. We estimated that data errors would exist in the inventory records\nfor 7,859 (23 percent) of the items. The data errors we noted, such as incorrect\nlocations, would make it difficult for the OSD to effectively manage the large\nquantity of ITE in the database. (See Appendix A for the statistical sampling\nmethodology and other information related to the existence test.)\n\n        Completeness Test Results. We selected 635 items of ITE on a\nnonstatistical basis located in the work spaces visited and determined whether\nthe items were included on the WHS and component databases. The results are\nincluded in Table 2.\n\n                      Table 2. Completeness Test Results\n\n   Total Work Spaces        Work Spaces ITE not          Work Spaces ITE with\n     ITE Reviewed           on any OSD Database              Data Errors\n\n           635                           51                        319\n\n\n\nThe results showed that 51 (8 percent) of the 635 work space selections, which\nincluded personal computers and laptops, were not recorded on any OSD\ndatabase. In addition, 319 (50 percent) of the supporting inventory records for\n635 ITE items contained significant data errors on the OSD database. As noted\nin the existence test, data errors such as incorrect locations make it difficult to\neffectively manage ITE.\n\n\n\n\n                                     3\n\x0cSingle ITE Manager\n    The OSD did not have a single, centralized manager for information technology\n    equipment within the OSD. A manager, such as a CIO, could have ensured that\n    the OSD developed and implemented management controls related to an\n    integrated, consistent process for receiving, recording, and disposing of\n    information technology equipment. This manager could have also ensured that\n    OSD policy and management control procedures for ITE were current and\n    implemented by the OSD. At the time of the audit, the Assistant Secretary of\n    Defense (Command, Control, Communications, and Intelligence) [ASD(C3I)]\n    was only responsible for overall DoD policy related to automated data\n    processing equipment and WHS had only limited responsibility for managing\n    ITE within the OSD.\n\n    Information Technology Equipment Policies. The ASD(C3I) had not issued\n    updated ITE policies for the OSD. The most recent comprehensive policy\n    document, DoD Directive 7950.1, was prepared more than 20 years ago, and\n    does not reflect the state of information technology in existence at the time of\n    this audit. The policy does not cover issues such as the use of personal digital\n    devices and the ability of software to recover data on hard drives. The\n    ASD(C3I) recognized that the document was outdated and in early FY 2000, a\n    draft policy document was prepared but was never issued. We were unable to\n    determine the reason for not issuing the policy. As a result of the outdated\n    policies, we observed poor security practices within the OSD. For instance,\n    during the physical inventory, a personal digital device similar to a palm pilot\n    was attached inappropriately to a computer processing unit designated to handle\n    classified material. Such a practice can compromise national security because of\n    the risk that classified information could be recorded on the personal digital\n    device and taken out of the secure area on a nonrestricted device. We reported\n    the incident as a potential security violation. Further, an additional 15 personal\n    digital devices were observed in restricted classified areas in the OSD.\n\n    Washington Headquarters Services. A single ITE manager with clear\n    authority would be able to issue and implement mandatory operating procedures\n    and practices. The WHS issued administrative instructions and inventory\n    bulletins covering the centralized database records, aspects of excessing\n    equipment, and some disposal practices. The bulletins, however, were limited\n    in scope, provided guidance that was not often followed and was not mandatory.\n    WHS did not believe it had the authority to make its instruction mandatory.\n    Each OSD component was expected to create its own policies and procedures\n    within the overall guidance issued by WHS.\n\n    Chief Information Officer. The Clinger-Cohen Act of 1996, P.L. (104-106),\n    Division E, Sec. 5002(3)(A), (B), and (C) requires all Government agencies to\n    appoint a CIO responsible for overall management of automated systems. The\n    ASD(C3I) implemented this policy in DoD by requiring DoD Components to\n    appoint CIOs; however, implementing instructions were never issued for OSD.\n    Like the rest of the DoD, OSD would benefit from having a CIO.\n\n\n                                        4\n\x0cManagement Control Processes\n    The OSD lacked an integrated, consistent management control process for\n    receiving ITE and maintaining an ITE inventory database. WHS Administrative\n    Instructions generally did not mandate specific procedures for an ITE\n    management control process. Each OSD organization was allowed to establish\n    specific procedures for controlling ITE.\n\n    Control Process. The practices followed by OSD component organizations\n    were not based on centralized or consistent procedures. For example, some\n    OSD component organizations used bar coding for controlling inventory and\n    others did not. An effective control process should include standard procedures\n    for recording equipment in accountability records upon receipt. Such\n    procedures would establish a clear record of who is using the equipment, for\n    what purpose, and how it is disposed at the end of its useful life. We believe\n    that the most effective accountability systems use a single record system and\n    uniform policies and procedures for an entire organization.\n\n            Procedures for Receiving Equipment. ITE was being brought into\n    OSD locations from multiple entry points. Equipment was delivered to multiple\n    storage facilities and sent directly to work spaces. For example, two\n    organizations maintained central warehouses for equipment, and one of these\n    organizations generally ensured that all equipment was delivered to the\n    warehouse. However, the same organization purchased ITE using Government\n    credit cards and the ITE was delivered directly to work stations without\n    accountability at the central warehouse. Several items from this organization\n    could not be located during our audit, and the records for several other items\n    contained errors. The use of a single entry point for all equipment would\n    greatly increase the ability of the OSD to ensure that equipment was\n    appropriately recorded in inventory records, marked, and controlled.\n\n           WHS Inventory Records. Administrative Instruction No. 56 designates\n    WHS as the office responsible for maintaining ITE inventory records. WHS\n    maintains a database intended to provide a central record of ITE for use in\n    meeting information needs of the Defense Information Systems Agency.\n    However, the WHS database did not include location and user information, a\n    complete history of all equipment, and other information needed to effectively\n    manage ITE. WHS updated the centralized database every 6 months using\n    information provided by the OSD component organizations. As a result, the\n    WHS centralized database did not include current information, especially for\n    those organizations that failed to provide updated information. WHS relied on\n    each OSD office to maintain separate records with more detailed information.\n    There were 14 separate sets of automated inventory records in the OSD.\n\n            OSD Component Inventory Records. The individual OSD component\n    inventory records we reviewed generally did not include information showing\n    whether the equipment was used to process classified information, the reason for\n    removing an item from inventory, and a history of an item from acquisition to\n    disposition. Organizations also used different database formats and data\n    elements. For example, one OSD organization deleted more than 500 items of\n                                       5\n\x0c    equipment, valued at more than $1 million, from its records in December 1999.\n    We were unable to trace any of the equipment in the inventory records to\n    determine the reasons recorded for the deletions and history for each item. A\n    Defense Protective Service Investigation report covering the matter indicated\n    that the items were either lost or removed from OSD locations as a result of\n    poor accountability. The actual disposition of the 500 items will never be\n    known because the entire record for the deleted items was removed by the OSD\n    organization instead of modifying the record to show the reason for the loss.\n    The lack of adequate detail, inaccurate and incomplete records, and inconsistent\n    database layouts all contributed to poor inventory records.\n\n           WHS Accountability. Although WHS had overall inventory\n    responsibility, it had delegated the detailed accountability functions to each OSD\n    component. During the period from 1995 to 1999, WHS performed periodic\n    inventory spot checks to check the accuracy of OSD records. The results of the\n    spot checks showed that most OSD components were improving but ITE\n    accountability problems still remained. The WHS spot checks for 2000 were\n    not conducted because of our audit. In view of the large numbers of missing\n    items, unrecorded items and inaccurate records, a wall-to-wall inventory is\n    needed to establish a complete database, with physical inventories taken\n    annually to ensure the accuracy of inventory records. The physical inventories\n    could be part of the annual management control assessments already required by\n    DoD.\n\n\n\nOSD Computer Disposal Practices\n    OSD disposal practices were not adequate for safeguarding the sensitive\n    information residing in DoD computers. OSD did not have current guidance for\n    OSD components to follow. The most recent guidance was issued more than\n    20 years ago, before many of the technologies commonly in use today were\n    available.\n\n    Reutilization of DoD Computers. Until November 2000, the OSD participated\n    in a computer reutilization program. The procedures for excessing OSD\n    computers call for swiping clean or sanitizing the hard drives of computers that\n    do not contain classified information. Our initial visit to the WHS warehouse\n    used to store excess OSD computers in the reutilization program resulted in the\n    identification of four computers that contained either sensitive or classified\n    information on the hard drives. In accordance with existing procedures, the\n    owning organizations were supposed to have \xe2\x80\x9cswiped\xe2\x80\x9d the hard drives clean and\n    a WHS official was supposed to have certified that the computers no longer\n    contained sensitive or classified information. However, these procedures were\n    not followed. In addition, we were also able to use software to reconstruct\n    information that was supposedly removed from the hard drives. As a result, the\n    disposal of any OSD computer that processes sensitive or classified information\n    represents a potential risk.\n\n\n                                        6\n\x0cDeputy Secretary of Defense Actions\n    On October 31, 2000, we advised the Secretary of Defense of weaknesses in\n    OSD computer disposal operations. On November 7, 2000, the Deputy\n    Secretary of Defense directed immediate action to correct the weaknesses within\n    the OSD and then on January 8, 2001, he directed the destruction of all DoD\n    computer hard drives prior to disposal of computers outside of DoD.\n    Subsequently, the DoD Chief Information Officer Executive Board established a\n    working group to review issues and refine the policy related to the Deputy\n    Secretary of Defense direction to destroy DoD computers hard drives prior to\n    disposal.\n\n    On December 4, 2000, we advised the Secretary of Defense of weaknesses in\n    the inventory management of OSD computer equipment, and provided proposed\n    recommendations for corrective action. On December 15, 2000, the Deputy\n    Secretary of Defense stated that he wanted to implement the Inspector General\xe2\x80\x99s\n    recommendations and directed the ASD(C3I) to take immediate action to correct\n    the inventory management problem. (See Appendix B for the three Deputy\n    Secretary of Defense Memorandums.) We believe an action plan with\n    milestones should be prepared to ensure prompt implementation of the\n    recommendations.\n\n\n\nRecommendations, Management Comments, Audit Response\n    We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence):\n\n    1. Establish a time-phased plan to implement the recommendations\n    directed by the Deputy Secretary of Defense during the audit. The\n    recommendations include:\n\n       a. Establish a Chief Information Officer for the Office of the Secretary\n    of Defense with responsibility for developing an integrated, consistent\n    management control process for managing information technology\n    equipment within the Office of the Secretary of Defense;\n\n       b. Rely on a single inventory database and standard process for\n    controlling information technology equipment. Replace all existing\n    databases with a single database designed to meet the needs of multiple\n    users;\n\n       c. Perform a wall-to-wall physical inventory of information technology\n    equipment within the Office of the Secretary of Defense and establish\n    quality control procedures to ensure that the master database inventory is\n    maintained on a real-time basis;\n\n\n                                       7\n\x0c   d. Require comprehensive information technology equipment inventory\nreviews at least annually, preferably as part of each office\xe2\x80\x99s management\ncontrol self-assessments;\n\n   e. Establish a clear chain of custody for equipment, including using\nhand receipts signed by the end user of the equipment;\n\n   f. Establish a single entry and exit point for all information technology\nequipment, ensuring that all equipment is recorded on inventory records\nbefore release to the user and then is appropriately excessed; and\n\n   g. Implement a policy (as directed by the Deputy Secretary of Defense\nmemorandum of December 15, 2000) that requires all hard drives of OSD\ncomputers being disposed of outside the DoD be destroyed.\n2. Develop policy regarding the proper use of current technology items,\nsuch as personal digital devices, with secure classified computers.\n\nAssistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) Comments. The Deputy Assistant Secretary of Defense,\nCommand, Control, Communications, and Intelligence, and Deputy Chief\nInformation Officer of DoD acknowledged the concurrence of the Deputy\nSecretary of Defense to the audit report findings and recommendations. The\nDeputy Assistant Secretary stated that actions were underway to provide for the\nDoD CIO to serve as the OSD CIO through updates to DoD Directive 8000.1,\n\xe2\x80\x9cManagement of Department of Defense Information Resources and Information\nTechnology\xe2\x80\x9d and WHS issued updated guidance on January 22, 2001, for\nremoval of all hard drives prior to surplus turn-ins of excess ITE. The Deputy\nAssistant Secretary stated he had concern about the cost to implement several of\nthe inventory management recommendations, and that his office would follow\ninvestment management guidance while considering the cost benefit of each\nrecommendation, the potential return on investment, and the affordability to\ninclude the impact on the full life-cycle requirements for acquiring, managing,\nand disposing of ITE. Further, as they develop their time-phased\nimplementation plan, they will evaluate alternatives for satisfying the\nrecommendations.\n\nAs part of these alternatives, on March 6, 2001, the Director of the Washington\nHeadquarters Services issued policy prohibiting digital devices in Pentagon\nSensitive Compartmented Information Facilities unless digital devices were\nmodified to prevent data transmission.\n\nAudit Response. The ongoing and proposed actions will benefit the\neffectiveness of the ITE management program in the OSD. We request the\nAssistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) provide additional comments describing when the time-phase\nimplementation plan will be completed.\n\nWashington Headquarters Services Comments. The Director, Washington\nHeadquarters Services, provided comments for clarification purposes, and\nemphasized inventory management improvements achieved since 1991. The\n                                   8\n\x0cDirector stated that the draft report was misleading in stating that the results of\ninventory spot checks performed between FY 1995 and FY 1999 showed that\nmost of the OSD components had accountability problems. Through hard work,\nOSD has improved its accountability of ITE based on the results of equipment\nexistence spot checks from 54 percent in 1995 to 94 percent in 1999. The\nresults in 1999 were compromised by two OSD components that scored only 78\nand 50 percent on the existence spot checks. The Director also commented that\nfurther analysis of alternatives was advisable before commitment to a single\ninventory system is made and more resources are applied to achieve marginal\nimprovement.\n\nAudit Response. We agree that the spot checks indicate improvement in ITE\naccountability practices since 1995. However, the value of the pre-announced\nspot check as a management tool is limited. Unannounced statistical samples\nare more appropriate for measuring the implementation of internal controls.\nMore importantly, we believe that the OSD should set a strong example within\nthe DoD for emphasis on inventory control and security. The Director\xe2\x80\x99s\nconcerns regarding the need for further analysis are noted, but the Deputy\nSecretary of Defense and the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) have already concurred with the\nrecommendation and with the need to improve inventory control.\n\nUnder Secretary of Defense for Policy Comments. The Director, Policy\nAutomation, Office of the Deputy Under Secretary of Defense Policy Support,\nexpressed concerns regarding problems with the conduct of the audit that may\nhave contributed to erroneous conclusions, raising a question about the\ncredibility of the audit. The Director offered to have us review worksheets that\ndetailed the errors. Further, the Director had concerns with several of the\nrecommendations in the report. Specifically, the Director stated that a single\nsystem to control all OSD equipment is not reasonable and that it is impossible\nto physically inventory everything at one snapshot in time in a \xe2\x80\x9cwall-to-wall\xe2\x80\x9d\ninventory. The Director further stated that hand receipting all users may result\nin a loss of control and establishment of a single point of entry for the OSD\nwould compound the problems of tracking procurement actions to delivery\norders.\n\nAudit Response. We accepted the Director\xe2\x80\x99s offer to review the worksheets of\nhis staff. The worksheets and associated analysis did not refute the facts and\nconclusions as presented in our report. The recommendations with which the\nDirector disagrees were made to another OSD component and the Deputy\nSecretary of Defense has previously directed implementation of the\nrecommendations.\n\n\n\n\n                                     9\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. This audit focused on whether information technology\n    equipment in the possession of the Office of the Secretary of Defense is\n    adequately managed. The WHS provided a copy of the ITE inventory database\n    that contained 33,889 inventory records as of October 2, 2000. We statistically\n    selected 635 items from the database for review. In addition, we judgmentally\n    selected 635 items from the locations visited for review. We reviewed the\n    procedures for recording and reporting ITE inventory data. We conducted our\n    review at the offices of the Secretary of Defense within the Washington\n    Metropolitan area. See Appendix C for a list of the offices visited.\n\n    DoD-Wide Corporate-Level Government Performance and Results Act\n    (GPRA) Coverage. In response to the GPRA, the Secretary of Defense\n    annually establishes DoD-wide corporate level goals, subordinate performance\n    goals, and performance measures. This report pertains to achievement of the\n    following objectives and goal, subordinate performance goal, and performance\n    measure.\n\n        \xe2\x80\xa2 FY 2001 DoD Corporate-Level Goal 2: Prepare now for an uncertain\n          future by pursuing a focused modernization effort that maintains U.S.\n          qualitative superiority in key warfighting capabilities. Transform the force\n          by exploiting the Revolution in Military Affairs, and reengineer the\n          Department to achieve a 21st century infrastructure. (01-DoD-02)\n\n        \xe2\x80\xa2 FY 2001 Subordinate Performance Goal 2.3: Streamline the DoD\n          infrastructure by redesigning the Department\xe2\x80\x99s support structure and\n          pursuing business practice reforms.\n\n        \xe2\x80\xa2 FY 2001 Subordinate Performance Goal 2.5: Improve DoD financial\n          and information management. (01-DoD-2.5)\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Information Management and Technology high-risk area.\n\nMethodology\n    Use of Computer-Processed Data. To achieve the audit objective, we\n    extensively relied on computer-processed data from WHS inventory database\n    and databases from various OSD components when available. The results of\n    our data testing showed an error rate that casts doubt on the data accuracy.\n    However, when the data are reviewed in context with other available evidence,\n    we believe that the opinions and conclusions in this report are valid.\n\n                                        10\n\x0c    Audit Type, Dates, and Standards. We performed this economy and\n    efficiency audit from October 2000 through January 2001 in accordance with\n    auditing standards issued by the Comptroller General of the United States, as\n    implemented by the Inspector General, DoD. We included tests of management\n    controls considered necessary.\n\n    Potential Security Violations. We referred two potential security violations to\n    the cognizant security offices for action.\n\n    Contacts During the Audit. The organizations contacted during the audit are\n    listed in Appendix C.\n\nStatistical Sampling Methodology\n    Sampling Purpose. The purpose of the statistical sampling plan was to estimate\n    the number of items missing from or not properly recorded in the information\n    technology equipment database.\n\n    Universe Represented. WHS provided a database of information technology\n    equipment as of October 2, 2000. The database consisted of 33,889 items with\n    a total value of $99.8 million.\n\n    Sampling Design. The sampling design used to determine whether or not items\n    were missing from or whether or not items were properly recorded in the\n    information technology equipment database was a stratified attribute design. We\n    divided the population into two strata: a census strata, which consisted of the\n    five largest data processing installation identifier codes, and an all other strata.\n    The census strata contained 72 percent of the items. A random sample of 105\n    items was selected for review from each of the five data processing installation\n    identifier codes that made-up the census strata. From all other strata, 110 items\n    were randomly selected for review.\n\n    Sample Results. We derived the following statistical estimates from the\n    information technology equipment database:\n\n                   Missing Items and Data Errors Statistical Bound\n                          (95 Percent Confidence Intervals)\n\n                         Lower Bound          Point Estimate        Upper Bound\n\n     Items Missing           2,049                2,790                 3,531\n\n     Data Errors             6,714                7,859                 9,004\n\n\n\n\n                                        11\n\x0cManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control Program,\xe2\x80\x9d August 26, 1996,\n    and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program\n    Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to implement a\n    comprehensive system of management controls that provides reasonable\n    assurance that programs are operating as intended and to evaluate the adequacy\n    of the controls.\n\n    Scope of Review of Management Control Programs. We reviewed the\n    adequacy of management controls over procedures to ensure that ITE is\n    accurately recorded and reported. We did not assess management\xe2\x80\x99s self-\n    evaluation of those controls.\n\n    Adequacy of Management Controls. We identified material management\n    control weaknesses at the OSD as defined by DoD Instruction 5010.40. Weak\n    management controls at OSD components were exhibited by the lack of a\n    centralized process for receiving, controlling, and disposing of ITE. No single\n    official was responsible for control and management of ITE. Responsibilities\n    for ITE policies and procedures were divided among many offices, and\n    individuals were not made clearly responsible for the security and control of\n    equipment assigned to them. A copy of the report will be provided to the\n    Director, Administration and Management, who is responsible for management\n    controls in the OSD.\n\n\n\nPrior Coverage\n    The Inspector General, DoD, issued one investigation report relating to OSD\n    ITE issues, \xe2\x80\x9cAllegations of Breaches of Secretary of Defense, Dr. John M.\n    Deutch, Former Deputy Secretary of Defense and Former Under Secretary of\n    Defense for Acquisition and Technology,\xe2\x80\x9d August 28, 2000\n\n\n\n\n                                       12\n\x0cAppendix B. Deputy Secretary of Defense\n            Responses to the Inspector General,\n            DoD, Preliminary Findings and\n            Recommendations\n\n\n\n\n                      13\n\x0c14\n\x0c15\n\x0cAppendix C. Component Organizations of the\n            Office of the Secretary of Defense\n            Visited During the Audit\n    We conducted our review at the following offices of the Secretary of Defense\n    within the Washington Metropolitan area:\n\n    Under Secretary of Defense\n\n    \xe2\x80\xa2   Under Secretary of Defense for Policy\n\n    \xe2\x80\xa2   Under Secretary of Defense for Acquisition, Technology, and Logistics\n\n    \xe2\x80\xa2   Under Secretary of Defense (Comptroller)\n\n    \xe2\x80\xa2   Under Secretary of Defense for Personnel and Readiness\n\n    Assistant Secretary of Defense\n\n    \xe2\x80\xa2   Assistant Secretary of Defense (Legislative Affairs)\n\n    \xe2\x80\xa2   Assistant Secretary of Defense (Health Affairs)\n\n    \xe2\x80\xa2   Assistant Secretary of Defense (Public Affairs)\n\n    \xe2\x80\xa2   Assistant Secretary of Defense (Reserve Affairs)\n\n    \xe2\x80\xa2   Assistant Secretary of Defense (Command, Control, Communications, and\n        Intelligence)\n\n    Other OSD Organizations\n\n    \xe2\x80\xa2   Assistant to the Secretary of Defense (Intelligence Oversight)\n\n    \xe2\x80\xa2   Assistant to the Secretary of Defense (Executive Secretariat)\n\n    \xe2\x80\xa2   Defense Acquisition University\n\n    \xe2\x80\xa2   DoD Joint Defense Total Asset Visibility Office\n\n    \xe2\x80\xa2   Office of Economic Adjustment\n\n    \xe2\x80\xa2   Strategic Environmental Research and Development Program\n\n    \xe2\x80\xa2   Space Architecture\n\n    \xe2\x80\xa2   Test Systems Engineering and Evaluation\n\n                                         16\n\x0c\xe2\x80\xa2   Information Technology Directorate\n\n\xe2\x80\xa2   Director, Program Analysis and Evaluation\n\n\xe2\x80\xa2   General Counsel\n\n\xe2\x80\xa2   Director, Operations Test and Evaluation\n\n\xe2\x80\xa2   Office of the Special Assistant for Gulf War Illnesses\n\n\xe2\x80\xa2   Director, Administration and Management\n\n\xe2\x80\xa2   Enterprise Support Organization\n\n\xe2\x80\xa2   Air Force Pentagon Communication Agency (OSD Support)\n\n\xe2\x80\xa2   Defense Supply Service \xe2\x80\x93 Washington (OSD Support)\n\n\n\n\n                                    17\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n  Director, Program Analysis and Evaluation\nUnder Secretary of Defense for Personnel and Readiness\n  Assistant Secretary of Defense (Health Affairs)\n  Assistant Secretary of Defense (Reserve Affairs)\nUnder Secretary of Defense for Policy\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\nAssistant Secretary of Defense (Legislative Affairs)\nAssistant Secretary of Defense (Public Affairs)\nAssistant to the Secretary of Defense (Intelligence Oversight)\nGeneral Counsel\nDirector, Administration and Management\nDirector, Operational Test and Evaluation\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Washington Headquarters Services\n\n\n\n\n                                          18\n\x0cNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         19\n\x0c\x0cAssistant Secretary of Defense (Command,\nControl, Communications, and Intelligence)\nComments\n\n\n\n\n                   21\n\x0cWashington Headquarters Services   Final Report\n                                    Reference\n            Comments\n\n\n\n\n                                   Revised\n\n\n\n\n                  22\n\x0c     Final Report\n      Reference\n\n\n\n\n23\n\x0cUnder Secretary of Defense for Policy\nComments\n\n\n\n\n                    24\n\x0c25\n\x0cAudit Team Members\nThe Finance and Accounting Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nF. Jay Lane\nSalvatore D. Guli\nCharles J. Richardson\nWalter R. Loder\nAdrienne B. Brown\nMichael L. Davitt\nBryan K. Kitchens\nLinh Truong\nBarry D. Gay\nWalter J. Gaich\nJohn W. Wright\nCharles A. Mordecai\nAlejandra Rodriguez\nLusk Penn\n\x0c'